How to set token scopes based on user/groups?

brandonlwhite · February 1, 2021, 5:11pm

I want to be able to set various token scopes to control access to various parts of my API, based upon the user’s group membership.

I’m only seeing a way to control access using very specific combinations of requested scopes. I’m referring to Authorization Server / Access Policies.

How can I configure Okta to automatically set token scopes in the response based upon groups/roles/etc?

For comparison, this would be something similar to Auth0’s RBAC settings for APIs – “the scope claim of the access token includes an intersection of the requested permissions and the permissions assigned to the user”

erik · February 2, 2021, 12:29am

Hello,
We do have a number of ways to return group claims. This allows to return all the groups a user is part, or a subset based off of the logic you setup. This claim could be setup for any scope requested, or for specific scope(s).

Note this claim could be named anything you like such as permissions. You could then create groups with a certain naming convention ‘permissions-…’. Then set the filter for this claim to groups start with ‘permissions-’. This should provide similar functionality as RBAC from Auth0 from what I read from their documentation.

brandonlwhite · February 2, 2021, 2:31pm

Erik, thanks for the response.

I’m using AWS API Gateway, with the HTTP configuration and JWT Authorizer. It only facilitates restrictions based on the presence of scopes in the JWT. Therefore, I need Okta’s Authorization server to set scopes based on User Groups.

Is this possible? I cannot figure out how to do it. I see how Okta allows setting custom claims in the token, but this isn’t enough to get the job done. For this to work, Okta needs a way to allow adding to the scp (scope) claim of the token.

nilsanders · February 12, 2021, 5:10pm

Hello,

Maybe you could achieve this by doing something like this.

User logs in to your client app and acquires an ID token.
The ID token includes a multi-value claim that contains the API scopes based on the users group membership.
Token endpoint is invoked to acquire an access token. The “scopes” claim from the previous step is used as the scopes parameter in the request.

Access policy rules configured for the authorization server make sure you can’t request scopes that you are not entitled for based on your group membership.